Email encryption flaw gives hackers full access to your secret messages

Researchers at the Munster University of Applied Sciences discovered vulnerabilities in the Pretty Good Protection (PGP) and S/MIME technologies used to encrypt email. The problem resides in how email clients use these plug-ins to decrypt HTML-based emails. Individuals and companies are encouraged to disable PGP and/or S/MIME in their email clients for now and use a separate application for message encryption. 

Called EFAIL, the vulnerability abuses “active” content rendered within HTML-based emails, such as images, page styles, and other non-text content stored on a remote server. To successfully carry out an attack, the hacker must first have the encrypted email in possession, whether it’s through eavesdropping, hacking into an email server, and so on. 

The first attack method is called “Direct Exfiltration” and abuses vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. An attacker creates an HTML-based email comprising of three parts: the start of an image request tag, the “stolen” PGP or S/MIME ciphertext, and the end of an image request tag. The attacker then sends this revised email to the victim. 

On the victim’s end, the email client first decrypts the second part and then combines all three into one email. It then converts everything into an URL form starting with the hacker’s address and sends a request to that URL to retrieve the nonexistent image. The hacker receives the image request, which contains the entire decrypted message. 

The second method is called the “CBC/CFB Gadget Attack,” which resides within the PGP and S/MIME specifications, affecting all email clients. In this case, the attacker locates the first block of encrypted plaintext in the stolen email and adds a fake block filled with zeroes. The attacker then injects image tags into the encrypted plaintext, creating a single encrypted body part. When the victim’s client opens the message, the plaintext is exposed to the hacker. 

Ultimately, if you don’t use PGP or S/MIME for email encryption, then there’s nothing to worry about. But individuals, companies, and corporations who use these technologies on a daily basis are advised to disable related plugins and use a third-party client to encrypt emails, such as Signal (iOS, Android). And because EFAIL relies on HTML-based emails, disabling HTML rendering is also advised for now. 

“This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad (sic),” F-Secure’s Mikko Hypponen wrote in a tweet. He later said that people use encryption for a reason: Business secrets, confidential information, and more.  

According to the researchers, “some” email client developers are already working on patches that either eliminates EFAIL altogether or makes the exploits harder to accomplish. They say the PGP and S/MIME standards need an update, but that “will take some time.” The full technical paper can be read here. 

The problem was first leaked by the Süddeutschen Zeitun newspaper prior to the scheduled news embargo. After the EFF contacted the researchers to confirm the vulnerabilities, the researchers were forced to release the technical paper prematurely.

Computing

Decades-old Apple IIe computer found in dad’s attic, and it still works

A New York law professor went viral last weekend after he discovered an old Apple IIe computer sitting in his dad's attic. In a series of tweets, he showed that the vintage machine still works perfectly fine after 30 years.
Computing

Reluctant to give your email address away? Here's how to make a disposable one

Want to sign up for a service without the risk of flooding your inbox with copious amounts of spam and unwanted email? You might want to consider using disposable email addresses via one of these handy services.
Emerging Tech

Of all the vape pens in the world, these 5 are the best

Vaping concentrates has become significantly more popular, especially among those that use cannabis for medicinal purposes. But don’t use just any vape pen: we found these five devices to be our favorites in 2018.
Smart Home

Language barrier? Psh. Here's how to make your Google Home an ace translator

You can now use interpreter mode on your Google Home devices. This means, you can use your Google Home device to translate conversations in real-time. Here's how to use interpreter mode.
Gaming

Here's how you can play your favorite PC games with a Nintendo Switch controller

Nintendo's Switch controllers, including the Joy-Cons and the aptly titled Pro Controller, use Bluetooth, which makes them compatible with your PC. Here's how to start using them for PC gaming.
Computing

Don't take your provider's word for it. Here's how to test your internet speed

If you're worried that you aren't getting the most from your internet package, speed tests are a great way to find out what your real connection is capable of. Here are the best internet speed tests available today.
Computing

Logitech’s G MX518 gaming mouse pairs classic looks with all-new tech

Logitech is relaunching one of its most popular classic gaming mice, the MX518. Now called the G MX518, it sports upgraded internals that give it a 16,000 DPI optical sensor and new and improved memory.
Computing

Microsoft could be planning a laptop with foldable screen, hints patent filing

Filed in late 2017 and titled "Bendable device with Display in Movable Connection With Body," the patent filing explains a new mechanism for laptops which can eliminate a hinge and allow the screen to fold shut from the inside,
Deals

From Chromebooks to MacBooks, here are the best laptop deals for February 2019

Whether you need a new laptop for school or work or you're just doing some post-holiday shopping, we've got you covered: These are the best laptop deals going right now, from discounted MacBooks to on-the-go gaming PCs.
Computing

Is AMD's Navi back on track for 2019? Here's everything you need to know

AMD's Navi graphics cards could be available as soon as July 2019 — as long as it's not delayed by stock problems. Billed as a successor to Polaris, Navi promises to deliver better performance to consoles, like Sony's PlayStation 5.
Deals

Here are the best Chromebook deals available in February 2019

Whether you want a compact laptop to enjoy some entertainment on the go, or you need a no-nonsense machine for school or work, we've smoked out the best cheap Chromebook deals -- from full-sized laptops to 2-in-1 convertibles -- that won't…
Computing

RTX might be expensive, but the 16 series could have the best Nvidia Turing GPUs

Set to debut at a step below the RTX 2060 on the price and performance spectrums, the GTX 1660 Ti and its other 16-series brethren could be Nvidia's killer mid-range cards of 2019 — especially with Tensor Core-powered DLSS.
Computing

Ryzen 3000 chips will be powerful, and they might be launched as early as July

AMD's upcoming Ryzen 3000 generation of CPUs could be the most powerful processors we've ever seen, with higher core counts, greater clock speeds, and competitive pricing. Here's what we know so far, based on both leaks and the recent…
Computing

With no plans for merging operating systems, Apple opts to combine apps instead

Apple is working on combining all of the the apps it offers to iPhone, iPad, and Mac users by 2021. App developers will soon be able to build and submit one version of their apps to be used by Apple product users.